I have no clue what this is, but I keep getting a popup that says an error occured in "Remote Procedure Call" (RPC) and my system is going to shutdown.

After the message, I am getting a 1-2 minute timer that allows me to save my work and then my computer shuts down.

I never had this before and then had it the other day and twice in the past 30 minutes today.

I am using WinXP Pro. Anyone have a clue as to what is cuasing this?

Are you connected via a network?

As in?

I am 1 of 3 computers within a home network connected to a linksys router. Our ISP is a DSL company in Ontario known as magma.ca.

Right after I posted this, the message appeared AGAIN!

Here's a screenshot attached.

Wow..

I just got a call from a friend - her computer started doing this today too..

Bizarre. I haven't had a chance to talk to her yet (she left voicemail) but she has her computer hooked up via a cable modem, uses it for yahoo and stuff regularly but I don't think she's very security aware.

-David

Makes me wonder if this isn't the computer but rather someone else causing havoc!?

I just removed my IP from the linksys DMZ Host field (I use that to remote) so we'll see if this stops.

Rather odd though.

to my knowledge RPC problems are generally associated with network commands and malicious programs. And from the looks of your screen shot it looked as if the network was forcing your computer to shut down. It could either be someone playing with you or a virus that leaked into your network.

keep us updated.

Looks weird though

Makes me wonder if it's related to this at all:
http://www.nipc.gov/warnings/advisories/2003/Potential7302003.htm

She doesn't seem like the type that would patch her system :(

-David

Hmm... thanks for the link david. Who knew the DHS was actually working? :)


Due to the seriousness of the RPC vulnerability, DHS and Microsoft encourage system administrators and computer owners to take this opportunity to update vulnerable versions of Microsoft Windows operating systems as soon as possible. Microsoft updates, workarounds, and additional information are available at http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
DHS and Microsoft further suggest that Internet Service Providers and network administrators consider blocking TCP and UDP ports 135, 139, and 445 for inbound connections unless absolutely needed for business or operational purposes.

I suggest anyone having problems with RPC similar to the situation Jeff (Mekhu) described should try the quoted method above by contacting their ISP.

The rest of us should probably update our systems just in case. :(

Just on the phone with a client at the moment and then I'll do what Argious just posted.

I'll keep you updated.

I can tell you guys for certain that I've never updated my workstation...

Ok, after reading that little blurb posted, it does sound like this was not the system of someone. By removing my IP from the DMZ Host setting on my router, everything seems fine now.

If this does occur again, I'll post back to this thread.

Well, I know that the cable modem provider that she goes through filters ports 135 and 139 (as well as 80, 20, 23 and a few others). No idea on 445.

I'm on the phone with her now.. SHe's never updated her system, and all that she had done earlier today was install a new version of "MSN messanger". She's tried to do a config rollback - started before I was on the phone with her. I've basically told her that she needs to keep her system patched as much as possible - go to windows update and see if there's anything for her system.

(sigh)

-David

Here is the source code to that exploit if anyone is interesting in seeing how it works.

http://www.derkeiler.com/Mailing-Lists/VulnWatch/2003-07/att-0054/dcom.c

Originally posted by genlee
Here is the source code to that exploit if anyone is interesting in seeing how it works.

http://www.derkeiler.com/Mailing-Lists/VulnWatch/2003-07/att-0054/dcom.c

I don't really wanna compile the exploit myself, but...

Would that cause the RPC crash we've seen above? Anyone wanna be a guinea pig?

FWIW, I'm on the same cable modem network right now as my friend and the activity light on the cable modem is solid for some reason. There's only one computer on, and it's just doing my posts to WHT. Lots of traffic is hitting the router and being dropped. I don't know if this is possibly an attack of some type, if it's something hitting this segment of the network, or if it's completely unrelated. Who knows.

-David

If someone knows how to compile the above to work, you can test it on me. I am real curious to see if this is the system or a user causing this...

Originally posted by Mekhu
If someone knows how to compile the above to work, you can test it on me. I am real curious to see if this is the system or a user causing this... Yes, I'm wondeing the same.

It's a user btw.

I had the same thing this morning, went to Neowin.net; asked on the boards; and solved with in minutes. After applying the patch, it went away.

Originally posted by Fiber
Yes, I'm wondeing the same.

It's a user btw.

I had the same thing this morning, went to Neowin.net; asked on the boards; and solved with in minutes. After applying the patch, it went away.

Cool - glad it's 'fixable' that easily. The patch you're talking about is the one mentioned on that microsoft alert, right? I can't get to neowin.net from here.

Still have a *lot* of traffic on the modem side. Kinda strange - it looked like this when code red first hit as well. I'm half tempted to hook the laptop up to it directly and tcpdump it. If it continues I may well do it - too curious.

-David

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

Gotten 2 IM's already; and I just send them the patch. (It was in my clipboard.)

I got it this morning, investigated it, and the patch worked for me.

Thanks for everyones help!

man this is freaky i just this second got off the phone to my pal about his pc keeps shutting down...

i googled and found the patch on microsoft(installed it myself a couple of weeks ago :) )

but to come onto wht as the next site i visited and the 1st thread is the exact same thing... thats just weird....

Originally posted by ciqala
man this is freaky i just this second got off the phone to my pal about his pc keeps shutting down...

i googled and found the patch on microsoft(installed it myself a couple of weeks ago :) )

but to come onto wht as the next site i visited and the 1st thread is the exact same thing... thats just weird....

Perhaps another worm?

Cable modem activity light is still *solid* (not the normal flickering only when the thing is being used) and the network just dropped and came back up.

I wonder...

-David

http://support.microsoft.com/?kbid=823980

run windows update and all shoud be sweet as a nut

Check this out:

http://developers.slashdot.org/developers/03/08/11/2048249.shtml?tid=126&tid=172&tid=185&tid=190&tid=201

Woo-hoo! It is a worm....

Our connectivity dumped again for the 4th time today. I think it's killing our cable modem system. I tried tcpdumping it but the dhcp server on our cable modem network does not appear to be responding.

Yay :)

-David

Not a nice worm at all!

So is their any infected files on my system?

Originally posted by Mekhu
Not a nice worm at all!

So is their any infected files on my system?

That appears to be determined. I've seen others say that it's the equivelent of a full root exploit, others aren't saying...

It appears as though the larger security sites are slashdotted though.. I'll find out more soon as I may have some other machines to patch up (parents, sigh...)

-David

More details:
http://isc.sans.org/diary.html?date=2003-08-11
http://www.secunia.com/advisories/9287/
Netbios ports are going up:
http://isc.sans.org/
http://isc.sans.org/images/port135percent.png

For those that cannot get to isc.sans.org (it's really slow or not responding), here's some info on it from the above page:

"So far we found the following properties:

- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot


Name of registry key:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update'

Strings of interest:

msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

So it looks like it installs a trojan, msblast.exe, on the system as well.
-David

That patch was released on 7/17

how to fix:



How To Secure From RPC and MSBLAST worm:
By thelinuxguy

1.)
Go to start -> search and search your entire computer for msblast.exe. Most likly it will be hiding in winnt/system32. Delete that file!

2.)

open regedit, and backup!
browse to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

DELETE the entry windows auto update"="msblast.exe

3.)
Close Regedit and install one of these patches:
windows xp
http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe
windows 2000
http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe

currently there is no patches for windows 2003

3.)

in windows xp & 2003:

go to your cmd prompt and do:
sc config RpcLocator start= disabled

in windows 2000 you have to go to administrative tools an then to services and disable the service

remore procedure call (RPC) locator

4.)

restart your pc

Originally posted by timechange
That patch was released on 7/17

Yes, but...

Some people just *never* update their pc's. THe friend I was mentioning earlier? Over 30 updates in windowsupdate to run ;)

Auto-cleaner for the trojan is here:
http://vil.nai.com/vil/stinger/

-David

and the patch doesnt work all the time. currently im helping 13 people with this

God bless my firewall, then. I patch all the time, but if the patches aren't working (which in the past, ms has done - one patch fixes problem A, another patch fixes problem B but re-opens the hole in problem A... )... That'd suck.

Time to install the best free patch there is (http://www.freebsd.org/)

:D

-David

Doesnt anyone check www.sarc.com anymore? They have it on the top of the page.

Just to be on the fair side of this as well, windows automatic update didn't apply this update on many XP machines.

Our isp got flooded with calls at about 1.30 pm CDT today on the issue. Pulled up sarc's page, got fix, helped ppl out.



P.S. My work xp machine (I hate it, but gotta use it) has auto update enabled on it, I have no updates possible, but I still had to patch the damn thing. Only rebooted twice though. :D

I always patch manually. I don't like auto-updates.

Its my crappy work pc (700mhz, 128 ram, running xp home for tech support issues) and has to be one of the slowest computers I we have at work, including the POS (point of sale) 400mhz celery machine which seems to run faster (98se / 96 ram)

2k is my os of choice. 2k didn't flinch when all this happened. Came home from work and my pc was up and running fine and dandy :)

We've had just over 6000 (six Thousand) calls today...

I would say that 5500 of those are related to this.

Originally posted by Mekhu
I have no clue what this is, but I keep getting a popup that says an error occured in "Remote Procedure Call" (RPC) and my system is going to shutdown.

After the message, I am getting a 1-2 minute timer that allows me to save my work and then my computer shuts down.

I never had this before and then had it the other day and twice in the past 30 minutes today.

I am using WinXP Pro. Anyone have a clue as to what is cuasing this?

this keeps happening to me too :(

I keep getting this notification that Remote Procedure Call (RPC) terminated unexpected, and you have 30 seconds until reboot.

When I had my firewall running, a file named msblast.exe (in the windows folder) is trying to access the internet, and I'm thinking that's what causing the problem.

Any idea on how to fix or what this is?

its a worm that allows people with the right programs to shutdown your PC.

You should download the Windows patch for it ASAP.

I've had three systems that I've worked on today that did this. Previously from what I read, people weren't sure what exactly it was going to do besides propagate itself. I guess today we found out. ;)

Wowee... this is like the biggest worm ever. I have never heard of this many people getting hacked and virused.

http://www.webhostingtalk.com/showthread.php?s=&threadid=174797&perpage=15&pagenumber=2

Read the reply by thelinuxguy in this thread.

Fortunately, I keep my own machines patched, but people who don't keep the money coming. :)

Wowee... this is like the biggest worm ever. I have never heard of this many people getting hacked and virused.Not really :) The SQL worm was much worse!

Originally posted by Coach
I've had three systems that I've worked on today that did this. Previously from what I read, people weren't sure what exactly it was going to do besides propagate itself. I guess today we found out. ;)

I kinda find it exciting. It's interesting to watch the clue-bat fall on people who don't patch computers that are hooked up to always-on internet connections. Kinda like a good thunderstorm in the summer to breakup the boredom :D

Course, I'm kinda wierd and like finding out about exploits and the like. That might have something to do with it.

-David

Very true. One thing that did surprise me a bit though is that I was working on one lady's laptop which was infected earlier this evening. She barely ever uses it and only uses a dialup connection. The other two were towers with a broadband connection. With a fast download speed, there's really no reason why those PC's shouldn't be up-to-date. Dial-up users I can almost understand, but the broadband folks need a good slap. ;)

I have Norton and Autoupdate running 24/7 and I still got it.

A lot of people are paranoid about letting Microsoft (or anyone else) connect to their computer Coach and they disable automatic updates.

Originally posted by fshost
I have Norton and Autoupdate running 24/7 and I still got it.

See below
Originally posted by Vamp22
Just to be on the fair side of this as well, windows automatic update didn't apply this update on many XP machines.

;)

Thats why a good firewall helps... God bless the little linksys and no DMZ. Stuff just bounces off of the router, never gets to the internal lan.

-David

Originally posted by JackMitchell
its a worm that allows people with the right programs to shutdown your PC.

You should download the Windows patch for it ASAP.

Hey blue, thx a lot!

I always check windowsupdate manually. I'm not really big on the MS automatic updates myself. I prefer to know what it is that I'm getting patched. The other reason being that it does miss some things as stated by vamp22.

However, for those paranoid about MS accessing their machines, you have to make a choice between the lesser of two evils. Would you rather have Microsoft updating your system or would you rather give some hacker access?

Given those two options, I would personally take my chances with Mr. Gates. :)

Or just do what thedavid has been preaching and install a firewall.

OK, I'll be honest with you. Whatever happens to my PC - I have no idea. If I get some error - I panic. Really panic.

Well, one just happened now. (I'm typing from my notebook). I the pc running, as I always do. I had only WHT in my browser and Windows Explorer with WinAmp running. When I approached it, I noted it was going for shut-down...

So now I can't load my desktop. I run WinXP Pro and every time Windows launches, I get the following error with a 1 minute countdown:

"System Shutdown

This system is shutting down. Please save all work in progress. Any unsaved data will be lost. This shutdown was initiated by NT AUTHORITY/SYSTEM

Windows must now restart because Remote Procedure Call (RPC) was terminated."

Fellows, please help me as it happens now every single time! And I can't even do nothing but watching it load, then go to restart over and over again. I have everything in that PC, all the documents, articles, web sites, everything...

What can I do? Do we have experts in this area on board?

I will really appreciate it!!! :bawling:

My God!! I'm not alone!

Mekhu is having the same problem, only just a couple of times!
http://www.webhostingtalk.com/showthread.php?threadid=174797

Anyone knows the subject?

Ok guys/girls here is the patch ya'll need!! http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp you can not cut and paste due to msblast disables it, it disables Norton, and SVChost.exe, you need to do a CTL+ALT+DEL ALT T and see if msblast.exe is running :) that patch will have you reboot and you will be fine, it is not fact that it comes threw DMZ, I had four clients today not even on a router but I am not DMZ running. I will have a link up here in the next 20 min of the HEX Editer on what the Creater said about Bill Gates :))

lol, talk about a sh!tstorm! hehehe

I just thought I'd come check out my thread and I see I wasn't the only one that got the crap scared out of em today!

Everyone fixed up now!?

Originally posted by Mekhu
Everyone fixed up now!?

Just fixed 3 minutes ago. Lost 3 Gb of good music by accident though...

lmao, guessing that's 3gb of "legal" music ;)

Originally posted by Mekhu
lmao, guessing that's 3gb of "legal" music ;)

legal? umm.. yeah.. hmm.. sure. :blush:

so it was the riaa who was behind all this!!! :D

....allegedly

Originally posted by blue27
Or just do what thedavid has been preaching and install a firewall.

LOL

Naw, the preaching had something to do with http://www.freebsd.org...

<as I'm waiting for the 30+ patches to download to the inlaws machine....>

I tell people they should update their machines, or use the auto-update thingy... Do they? No....

Tomorrow I get to do another friends machine, or talk her through it on the phone. Happy happy joy joy. Thank you MS and thank you script kiddies, and thanks to everyone who didn't patch :angry:

Sorry - it's almost 3 and I'm here patching these 'critical' machines. Little bitter for being known as 'the computer guy'.

-David

I disable all auto update and any access too/from my pc from anyone.

I haven't been hit yet, behind a router and a firewall.

I got it 4-5 times today already.

Now I'm on myother box.

Just hope it doesn't appear while im instaling..

i believe it only happens to dial-up users

Originally posted by IndyGal
i believe it only happens to dial-up users

Nope, it can happen to any vulnerable windows machine hooked directly to the internet.

-David

The MSBlast worm is spreading rapidly, and security experts predict that the spread will accelerate when hackers refine its code

The fast-spreading MSBlast worm seems to be crashing as many Windows computers as it's infecting, demonstrating to administrators that they need to patch their systems, security experts said on Monday.

Click here (http://insight.zdnet.co.uk/internet/security/0,39020457,39115633,00.htm) for advice on countering the worm.

By midafternoon on Monday, the worm had infected at least 7,000 computers in a matter of hours, according to data provided by security company Symantec. Still, security experts stressed that the program had several flaws that had slowed its spread.

Full article at ZDNet UK (http://news.zdnet.co.uk/0,39020330,39115630,00.htm)
Copyright © 2003 CNET Networks, Inc. All Rights Reserved.

Check the lounge SoKy. That has been discussed in depth.

Originally posted by Coach
Very true. One thing that did surprise me a bit though is that I was working on one lady's laptop which was infected earlier this evening. She barely ever uses it and only uses a dialup connection. The other two were towers with a broadband connection. With a fast download speed, there's really no reason why those PC's shouldn't be up-to-date. Dial-up users I can almost understand, but the broadband folks need a good slap. ;)

lol are you kidding, if the infection rate continues on my dailup ip subnet, i gonna be offline for awhile lol, my firewall only holds up to 999 entries, its already full,

:bawling: *very loud, long ass sigh* :bawling:

^^ vllas

its pretty funny to watch half of your buddylist sign on and off all morning :D

but im going to buy this t-shirt here (http://www.thinkgeek.com/tshirts/frustrations/388b/), im already blocking people who think security is just a joke, i can see it now, "oh dear, something is wrong with my bootleg copy of windows xp and cant/am affraid to update it, whats going on, its keeps restarting!!?? help me plzzz!" notice the zzz on the end of please. im babbling on...

You missed a thread mods. You left "Windows keeps Restarting" unmerged. :P . Anyways: I got that windows patch that people are talking about, and updated norton. My firewall is also blocking all ports except for those I use for IRC and running a small server.

That one was probably left out of this thread because the discussion took a turn a bit away from this topic.

Regarding the RIAA being behind this... possible because I know two of the PC's used Kazaa, but the dial-up one did no P2P filesharing at all. That's what surprised me about it, not the fact that it was a computer with only a dial-up account.

A new version has come out of this worm - that doesn't crash the computer, just '0wn3z' you:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RPCSDBOT.A

I'm just waiting for one to come out that has a truly destructive payload. The worm writers have been good to us so far.

-David

error message

ny authority system remote procedure cell terminated unexpectantly./.??????????? comptuer reboots

http://www.webhostingtalk.com/showthread.php?s=&threadid=174909

the fast read thread

http://www.webhostingtalk.com/showthread.php?s=&threadid=174797

the long thread

ran it, says it got rid of it but I still have it

i think you should follow the steps-better- thats it , it worked with me and i think with lots others.

I have 60 seconds to read it!!!!!!!!!!

How do I get to this please

open regedit, and backup!

start-> run type regedit

in the menu there is an option to backup i believe

if you do not know what you are doing then i suggest you get someone who knows what they are doing to do this... playing with the registry settings can be dangerous for your pc if you mess it up.

Originally posted by moshes
I have 60 seconds to read it!!!!!!!!!!
follow the steps, while you're not connected to the internet.

copy the text to a text file, the follow the steps, and when you reach step 3 (patch download), come online :)

i didnt back up and nothing happened, the most important thing is to delete the file (msblast.exe) and clear it's entry from the registry .

hope this helps

Healed, thank you creedance for giving back to the next guy in trouble!

anytime ;)

just for others who don't care

-------------
The worm does not allow remote access by a hacker, though security experts say that a variation on it may make that possible in the future.
------------

i posted this in another one of these threads earlier

if it starts shutting down then do the following

[start] -> [run] -> type cmd -> [ok] -> type shutdown -a -> [return]

the shutdown will stop and you can download what you need in peace :D

Originally posted by blue27
Check the lounge SoKy. That has been discussed in depth.

My bad... sorry! It's hard to keep up! :eek:

It propagated so fast I think there were about a dozen different threads started on this forum alone.

Microsoft patch

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp



CA cleanup tool

http://www.smh.com.au/articles/2003/08/12/1060588380849.html


Note: Windows ME is not affected.

Old news :)

Originally posted by fshost
Old news :)

I looked for your post helping out the community but could not find it. Can you point me in the right direction?

Simon

:?

There were about 5 threads about this, here's one

http://www.webhostingtalk.com/showthread.php?s=&threadid=174797

Hello,
My cousins Dell is having that worm problem. But there is another problem. It won't allow him to install the Security patch. He tried calling dell but takes hours so he just gave up. What should he do? Any help will be appreciated.

Also he doesn't even have a start menu on the bottom its just all white.